Systems, Methods and Programs for Detecting Unauthorized Use of Text Based Communications Services

ABSTRACT

Systems, methods, and programs for generating an authorized profile for a text communication device or account, may sample a text communication generated by the text communication device or account during communication and may store the text sample. The systems, methods, and programs may extract a language pattern from the stored text sample and may create an authorized profile based on the language pattern. Systems, methods, and programs for detecting unauthorized use of a text communication device or account may sample a text communication generated by the device or account during communication, may extract a language pattern from the audio sample, and may compare extracted language pattern of the sample with an authorized user profile.

This application is a continuation of U.S. patent application Ser. No.13/973,666, filed Aug. 22, 2013, which is a continuation of U.S. patentapplication Ser. No. 13/749,487, filed on Jan. 24, 2013, now U.S. Pat.No. 8,548,811, which is a continuation of U.S. patent application Ser.No. 13/548,534, filed on Jul. 13, 2012, now U.S. Pat. No. 8,386,253,which is a continuation of U.S. patent application Ser. No. 11/315,220,filed on Dec. 23, 2005, now U.S. Pat. No. 8,244,532, the entiredisclosures of which are incorporated by reference herein in theirentirety.

BACKGROUND

The use of streaming text messaging and short text message systems issteadily increasing as a method of electronic communication. As thenumber of devices capable of such communication and the number and sizeof such service providers increases, the more such devices and serviceaccounts are being accessed and exploited by unauthorized users, forexample, to impersonate the authorized user, obtain free communication,steal an authorized user's identity, and/or to cheat at online gambling.

Conventionally, methods are available to evaluate text based on modelsto predict a source of the text. For example, such methods are employedin Bayesian-type email filters used to detect “spam” e-mail. Such asystem is described, for example, in U.S. Pat. No. 6,161,130.

SUMMARY

Systems and methods have been proposed to identify the unauthorized useof mobile voice communication systems, for example, by sampling portionsof the audio communication originating from a mobile device and buildingan authorized user profile based on audio patterns within the audiosamples. Then, subsequent audio patterns are compared with theauthorized user profile to determine whether or not an authorized useris using the device. See, for example, U.S. Pat. No. 8,189,783.

Exemplary systems, methods, and programs, disclosed herein may determinelanguage patterns within text communication, such as short textmessages, for example by sampling all or part of text communications.The systems, methods, and programs may build an authorized profile basedon the determined language patterns, and then evaluate all or part ofsubsequent text communications based on the authorized profile todetermine whether a current user of the messaging device or account isthe authorized user and/or whether a current sender of a communicationto the messaging device or account is an imposter.

Exemplary systems, methods, and programs for generating an authorizedprofile for a text communication device or account, may sample one ormore text communications and may store the text samples. The systems,methods, and programs may extract a language pattern from the storedtext samples and may create the authorized profile based on the languagepattern.

Exemplary systems, methods, and programs for detecting unauthorized useof a text communication device or account may sample a textcommunication, may extract a language pattern from the text sample, andmay compare the extracted language pattern of the sample with anauthorized profile.

BRIEF DESCRIPTION OF THE DRAWINGS

Exemplary implementations will now be described with reference to theaccompanying drawings, wherein:

FIG. 1 shows an exemplary unauthorized use detection system;

FIG. 2 shows an exemplary unauthorized use detection;

FIG. 3 shows an exemplary method for developing an authorized profile;and

FIG. 4 shows an exemplary method of evaluating text messages.

DETAILED DESCRIPTION OF EXEMPLARY IMPLELMETANTIONS

According to one or more of the following examples, short text messagesmay include, for example, instant messaging (IM), messages sent usingthe short message system (SMS), and/or e-mail messages.

According to one or more of the following examples, devices capable ofsending and/or receiving short text messages may include, for example,cell phones, Personal Digital Assistants (PDAs), combination devices(e.g., voice and e-mail, internet, gamming, and/or global positingsystem (GPS)), personal handyphone systems (PHS), personal computers,laptop computers, and/or a client or server of a wired or wirelessnetwork such as an extranet, an internet, the Internet, and inparticular the world Wide Web (WWW).

FIG. 1 shows an exemplary communication system including an unauthorizeduse detection system 100. As shown in FIG. 1, the communication systemmay include, for example, a network 102, an end-user mobile device 104,and a message authentication system 106. As shown in FIG. 1, theunauthorized use detection system 100 may include the messageauthentication system 106 and all or part of the network 102.

The network may include, for example, a wired or wireless network, suchas, for example, one or more of a wired telephone network, a wirelesstelephone network, an intranet, an extranet, a local area network, awide area network, a storage area network, and/or the Internet. Wherethe network 102 is a telephone network (wired or wireless) or a largescale computer network such as the Internet, only that portion of thenetwork 102 that receives text samples and transmits them to and/orbetween the message authentication system 106 and/or the end-user device104 may be part of the system 100.

Alternatively, all or part of the message authentication system 106 maybe included within the end-user device 104, in which case the network102 need not be included in the system 100.

In general operation, the unauthorized use detection system may be basedon messages sent by the end-user account or device 104. The messageauthentication system 106 may collect one or more text samples of a textmessage sent by the device 104 and may develop an authentic user profilefor the user of the device. The authentic user profile may be based onone or more language patterns obtained by evaluating the one or moretext samples of the primary user. The authentic user profile may then beused to determine whether or not messages sent from the end-user accountor device 104 are being authored by the primary user.

Alternatively, the unauthorized use detection system 100 may be based onmessages received by the end-user account or device 104. The messageauthentication system 106 may develop an authentic sender profile foreach correspondent that the end user communicates with frequently. Eachfrequent correspondent may be identified by, for example, an associatedaddress, such as an instant messaging screen name, IP address, telephonenumber, and/or an email address. For each correspondent's address, themessage authentication system 106 may collect one or more text samplesreceived from that address. Then, the message authentication system 106may develop an authentic sender profile for the address based languagepatters obtained by evaluating the text samples received from thefrequent correspondent. In this manner, as described below, theauthentic sender profiles may be used by the device 104 to detectimposters attempting to send a message using a frequent correspondent'saccount or device.

As used herein, the term “language patterns” is intended to encompass,for example, at least one or more representations of individual orsequences of characters (alpha numeric, punctuation, white spacecharacters, etc.), words, emoticons, icons, phrases, phonemes,syllables, and/or numbers. The language pattern may, for example,consist of a stochastic n-gram language model, or may consist ofsomething as simple as a collection of words and phrases. The authenticuser profile need not be tied to the grammar of the text message (e.g.,separately evaluating the rules governing the order of the words),rather the sample may include the patterns of words, characters, etc.,such as for example used in Bayesian filters. In this manner, theauthentic user profile may be language independent and doesn'tnecessarily require complex grammar evaluation models.

A useable authentic user profile or authentic sender profile may bebased on as few as one sample, a useable authentic profile may be basedon a predetermined number of samples, or a developed authentic profilemay be considered usable when variations between one or more of therespective language patterns included in the profile are withinpredetermined statistical tolerances. Furthermore, a single sample mayconsist of a part of a message or of the entire message. Thereby, thesampling may consist of the entire contents of all messages transmitteduntil the system has determined that a sufficient number of samples havebeen collected.

In the case in which the system 100 is based on messages sent by theend-user account or device 104, once the authentic user profile isdetermined, the message authentication system 106 may continue to sampletext from the text messages sent by the end-user mobile device 104. Forthe case in which the system 100 is based on messages received by theend-user account or device 104, the message authentication system 106may continue to sample text from the text messages received by theend-user device 104.

In either or both cases, these subsequent samples, for example, may betaken from each message, every predetermined number of transmissions, orat random. Again, a sample may consist of a part of a message or of theentire message. The message authentication system 106 may then evaluateone or more of the subsequent samples in a similar manner as above, toextract language patterns and compare the extracted language patternswith the authentic user profile to determine if the primary userauthored the subsequent samples or compare the extracted languagepatterns with the authentic sender profile associated with the messagesender's address to determine if the frequent correspondent authored thesubsequent sample.

If, based on the evaluation, the message authentication system 106determines that the primary user did not author one or more of thesubsequent samples, the message authentication system 106 may determinethat the end-user device 104, or the authorized user's text messagingaccount, is being used by an unauthorized user. If, based on theevaluation, the message authentication system 106 determines that thefrequent correspondent associated with the address from which themessage was sent did not author one or more of the of the subsequentsamples sampled from messages originating at that address, the messageauthentication system 106 may determine that the frequentcorrespondent's account or device, is being used by an imposter.

In either or both cases, this determination may be made based on as fewas one subsequent sample. Alternatively, the determination may be madeif a predetermined percentage of a predetermined number of subsequentsamples is determined to have been authored by an unauthorized userand/or imposter.

In the case in which the system 100 is based on messages sent by theend-user account or device 104, based on the determination that theend-user device 104, or the user's text messaging account, is being usedby an unauthorized user, the device's service may be, for example,suspended and the primary user may be notified by an alternate channelthat the device 104 (or password to an account) has been lost or stolen.Furthermore, if the device 104 is equipped with GPS, its location may bedetermined. Alternatively, the device's stationary location may beidentified by an IP address. As a result, the unauthorized user'slocation may be provided to the user and or reported to the police.

For the case in which the system 100 is based on messages received bythe end-user account or device 104, based on the determination that thefrequent correspondent's end-user device or account is being used by animposter, the user of the end-user device 104 may be alerted (forexample, in a manner hidden to the imposter) that they may becommunicating with an impostor. This alert may be signaled to therecipient's end-user device 104 by a text message or other alert fromthe message authentication system 106, or by sending a signal that, forexample, opens a warning message on the recipient end-user device'sscreen.

FIG. 2 shows an exemplary unauthorized use detection system 150. Asshown in FIG. 2, the exemplary unauthorized use detection system 150 mayphysically, functionally, and/or conceptually include, for example, acontroller 152, a memory 154, a language analyzer 156, a message sampler158, a network interface 160, and/or an authorization tester 162, each,for example, appropriately interconnected by one or more data/controlbusses, application programming interfaces, and/or, wired or wirelessnetwork connections 160. The language analyzer 156, message sampler 158,and authorization tester 162 may be implemented using any appropriatecombination of circuits, routines, and/or applications and may beappropriately combined into a single circuit routine or application orwith, or as part of, the controller. Further, the language analyzer 156,message sampler 158, and authorization tester 162 may be physically,functionally, or conceptually further divided into multiple circuits,routines, or applications.

While FIG. 2 shows system 150 using bus architecture, any type ofhardware architecture, including wired and wireless networks, may beused based on implementation details. For example, memory 154 andnetwork interface 160 may be individually connected to controller 152.Also, these hardware components may be implemented using any availablehardware technology such as FPGA, PAL, application specific integratedcircuits (ASICs), etc.

As shown in FIG. 2 the memory may be physically, functionally, and/orconceptually divided into, for example, an authentic profile portion 154a and/or a recent text samples portion 154 b. The authentic profileportion 154 a may store the language patterns included in the authenticuser profile and/or the authentic sender profiles. The recent textsamples portion 154 b may store text sampled from recent usage of theend-user device 104 or the user's text message account.

The memory 154, shown in FIG. 2, can be implemented using anyappropriate combination of alterable memory and/or non-alterable memory.The alterable memory, whether volatile or non-volatile, can beimplemented using any one or more of static or dynamic RAM, a removabledisk and disk drive, a writeable or re-writeable optical disk and diskdrive, a hard drive, and/or flash memory. Similarly, the non-alterableor fixed memory can be implemented using any one or more of ROM, PROM,EPROM, EEPROM, and/or an optical ROM disk, such as CD-ROM or DVD-ROMdisk.

The language analyzer 156 may input a text sample and determine thevarious language patterns within the text sample. The language analyzer156 may also compare language patterns of one text sample with thelanguage patterns within the authentic user profile and determinewhether the sample was authored by the primary user of the device and/oraccount or may compare language patterns of one text sample with thelanguage patterns within the authentic sender profile and determinewhether the sample was authored by an imposter.

The text sampler 158 may input, for example, a text message stream, atext message, or a packet of a concatenated message, and extract textsamples representative of the message. The samples may be, for example,taken from a particular part of a message. For example at the beginningof a text message certain greetings are commonly used, thereby allowingthe language patterns to be derived from a portion of the messagecommunicating a similar user intent. However, because the systemcompares language patterns of a text message rather than relying onspecific words, the text samples may be taken at any point in themessage, irrespective of the meaning of the words written.

The network interface 160 may allow one or more of the elements of thesystem 150 to communicate with a network, such as for example, network102.

In general, there are two phases of operation of the exemplaryunauthorized use detection system 150: the authentic user and/or senderprofile preparation phase and the unauthorized use detection phase.During the authentic user and/or sender profile preparation phase, undercontrol of the controller 152, a text stream, message, or packet,originating from (to develop an authenticated user profile) or receivedby (to develop an authenticated sender profile) the end-user device 104or the user's account is input to the text sampler 158, for example, viathe network interface 160. Under control of the controller 152, the textsampler 158 samples a portion or portions of the message and stores thesampled portion(s) in the recent text samples portion 154 b.Alternatively, the sampled portion(s) may be input directly into thelanguage analyzer 156. The language analyzer 156 may access the textsamples provided by the text sampler and may extract language patternsfrom the samples. Representations of the language patterns, undercontrol of the controller 152, may then be stored in the authenticuser/sender profile portion 145 a.

In the case in which the system 150 is based on messages sent by theend-user account or device 104, the sampled text may be only thatportion of the text message authored by the user. For example, only thetext generated by the associated end-user device 104 may be included inthe sample. Similarly, only the text generated by the user's account maybe included in the sample.

For the case in which the system 150 is also or alternatively based onmessages received by the end-user account or device 104, the sampledtext may be only that portion of the text message authored by the partywith whom the user is communicating: For example, only the text receivedby the associated end-user device 104 may be included in the sample.Similarly, only the text received by the user's account may be includedin the sample.

Any subsequent text samples generated from subsequent messages may alsostored in the recent text samples portion 154 b and the languagepatterns extracted from the samples may be stored in, or used to update,the authentic profile portion 154 a. The subsequently extracted languagepatterns may be separately stored for each text message, or may be usedto modify the previously stored profile to develop, for example, astatistical distribution of occurrence of phrases of a given length (forexample, 2 words long or 3 words long) across many samples.

The above process may be repeated by the system 150 until it isdetermined that the pattern representations stored in the authenticprofile portion 154 a are sufficient to identify the authentic user'slanguage patterns in additional samples (when developing an authenticuser profile) and/or the pattern representations stored in the authenticprofile portion 154 a are sufficient to identify a particular frequentcorrespondent's language patterns in additional samples (when developingone or more authentic sender patterns). For example, the profile(s) maybe considered sufficient when a predetermined number of samples havebeen collected and analyzed, when the standard deviation among sampledpatterns from the profile(s) is within a certain range, and/or when thenumber of new words or phrases detected per transmission falls below athreshold. If the language patterns were stored separately for eachsample, upon the determination that the patterns are sufficient toidentify the authorized user or a frequent correspondent, the patternsmay be reduced, by consolidating similar patterns into a singlerepresentative pattern with associated an occurrence score. When theauthentic user profile and/or one or more authentic sender profiles arecreated, the system 150 may enter the second phase of operation.

In the case in which the system 150 is evaluating messages sent by theend-user account or device 104, during the unauthorized use detectionphase, a text stream, message, or packet, sent from the user's end-userdevice 104 and/or originating from the user's account are input, undercontrol of the controller 152, to the text sampler 158. Under control ofthe controller 152, the text sampler 158 samples the message and storesat least one sample of the message in the recent text samples portion154 b. Alternatively, the sample(s) may be input directly to thelanguage analyzer 156. A sample may consist of the whole or of a part ofthe text stream, message or packet. Under control of the controller 152,the language analyzer 156 may access a recent sample and the authenticuser profile and may compare the language patterns within the recentsample to the representations of language patterns in the authentic userprofile.

Under control of the controller 152, based on the comparison, thelanguage analyzer 156 may determine whether the recent sample wasauthored by the authorized user. If the language analyzer 156 determinesthat the recent sample was not authored by the authorized user, undercontrol of the controller 152, the sample may be stored in the recenttext samples portion 154 b with an indication that the sample is notauthored by the authorized user. If the language analyzer 156 determinesthat the recent sample was authored by the authorized user, undercontrol of the controller 152, the sample may be stored in the recenttext samples portion 154 b with an indication that the sample wasauthored by the authorized user. Alternatively, only the indication maybe stored and the sample may be discarded.

When, for example, a certain number of samples and/or indications havebeen evaluated and stored in the recent text samples portion 152 b, or acertain amount of time has passed, under control of the controller 152,the authorization tester 162 may access the stored recent samples anddetermine whether the authorized user has been the primary user of themobile end-user device 104 and/or the user's text message account. Thedetermination may be made based on, for example, whether a percentage ofthe stored samples that are determined to be authored by someone otherthan the authorized user exceeds a predetermined limit. Under control ofthe controller 152, the determination may be output for use by, forexample, a service provider.

For the case in which the system 100 is based on messages received bythe end-user account or device 104, during the unauthorized usedetection phase, a text stream, message, or packet, received by theuser's end-user device 104 and/or received by the user's account areinput, under control of the controller 152, to the text sampler 158.Under control of the controller 152, the text sampler 158 samples themessage and stores at least one sample of the message in the recent textsamples portion 154 b. Alternatively, the sample(s) may be inputdirectly to the language analyzer 156. A sample may consist of the wholeor of a part of the text stream, message or packet. Under control of thecontroller 152, the language analyzer 156 may access a recent sample andthe authentic sender profile corresponding to the address from which therecent sample was sent and may compare the language patterns within therecent sample to the representations of language patterns in theauthentic sender profile.

Under control of the controller 152, based on the comparison, thelanguage analyzer 156 may determine whether the recent sample wasauthored by the frequent correspondent associated with the authenticsender profile. If the language analyzer 156 determines that the recentsample was not authored by the frequent correspondent, under control ofthe controller 152, the sample may be stored in the recent text samplesportion 154 b with an indication that the sample is not authored by thefrequent correspondent. If the language analyzer 156 determines that therecent sample was authored by the frequent correspondent, under controlof the controller 152, the sample may be stored in the recent textsamples portion 154 b with an indication that the sample was authored bythe frequent correspondent. Alternatively, only the indication may bestored and the sample may be discarded.

When, for example, a certain number of samples have been evaluated andstored in the recent text samples portion 152 b, or a certain amount oftime has passed, under control of the controller 152, the authorizationtester 162 may access the stored recent samples/and or indications anddetermine whether the frequent correspondent has been the primarymessage sender associated with the frequent correspondent's address. Thedetermination may be made based on, for example, whether a percentage ofthe stored samples and/or indications that are determined to be authoredby someone other than the frequent correspondent exceeds a predeterminedlimit. Under control of the controller 152, the determination may beoutput for use by, for example, a service provider.

An exemplary method 300 for developing an authorized user profile and/orauthorized sender profile is shown in FIG. 3. The exemplary method maybe implemented, for example, by one or more components of theabove-described systems 100, 150. However, even though the exemplarystructure of the above-described systems may be referenced in thedescription of the method, it should be appreciated that the referencedstructure is exemplary and the exemplary method need not be limited byany of the above-described exemplary structure.

As shown in FIG. 3, in step 310 it is determined whether enough textsamples generated by the user device 104 (in the case of an authorizeduser profile) or received from a particular address (in the case of anauthorized sender profile) have been collected. If enough samples havebeen collected, the authorized user/sender profile may be consideredcomplete, and in step 360 operation ends. If enough samples have notbeen collected, operation continues to step 320. The determination ofwhether enough samples have been collected may be made, for example,based on the total number of samples, an elapsed time, or one or morestatistical properties of the profile is within a predetermined limit.In step 320, it is determined whether the device and/or account is beingused in text communication. Once the device is being used in textcommunication, operation continues to step 330.

In step 330, a text sample is taken from the current text communication.In a case in which an authentic user profile is being developed, forexample, a text stream, message, or packet, originating from theend-user device or the user's account is sampled. In a case in which anauthentic sender profile is being developed for a particular address,for example, a text stream, message, or packet, originating from theaddress and received by the end-user device or the user's account issampled. Then, in step 340, the text sample is evaluated to extractlanguage patterns within the sample. Next, in step 350, the languagepatterns extracted from the sample are, for example, stored to create anauthorized user/sender profile or used to update an existing authorizeduser/sender profile. Operation of the method returns to step 310 andrepeats until enough samples have been collected.

An exemplary method 400 for evaluating text messages is shown in FIG. 4.The exemplary method may be implemented, for example, by one or morecomponents of the above-described systems 100, 150. However, even thoughthe exemplary structure of the above-described systems may be referencedin the description of the method, it should be appreciated that thereferenced structure is exemplary and the exemplary method need not belimited by any of the above-described exemplary structure.

As shown in FIG. 4, the method begins in step 410 where it is determinedwhether an end-user device and/or user's account is being used in textcommunication. Once the device/account is being used in textcommunication, in step 420, a portion of the communicated text messageis sampled. In the case in which a user of the end-user device is beingevaluated, the text sampled will be the text generated by the end-userdevice and/or user's account. In the case in which the party with whomthe user is communicating is being evaluated, the text sampled will bethe text received by the end-user device and/or user's account.Operation continues to step 430.

In step 430, the sampled text is evaluated to extract language patternswithin the sample. Then, in step 440, the language patterns extractedfrom the sample may be stored. In step 450, it is determined whetherenough samples have been evaluated and their language patterns stored.For example, this determination may be made on the total number ofsamples or an amount of time that has elapsed since a previousevaluation of stored samples. If enough samples have not been collected,operation returns to step 410. If enough samples have been collected,operation continues to step 460, where the stored language patternswithin the samples are compared with an authorized profile. In the casein which a user of the end-user device is being evaluated, the storedpatterns are compared with the authorized user profile. In the case inwhich the party with whom the user is communicating is being evaluated,the stored samples are compared with the authorized sender profilecorresponding to the address from which the samples were taken.

In either or both cases, for example, the number of samples thatconstitutes enough samples may be set to one. In this way, each samplemay be compared to the authorized user/sender profile, and an evaluationof the user or sender's authenticity may be performed on eachtransmission.

For example, each sample's language patterns may be compared with thepatterns in the authorized user profile or authorized sender profile todetermine whether the sample, and thus the associated communication, wasauthored by the respective authorized user or frequent correspondent.The comparison may be made within certain statistical tolerances, forexample, based on the reliability of the authorized user profile. Forexample, if the profile is rather new, that is, based on only a fewsamples, then the comparison may allow for a larger deviation from theprofile to be considered a match. Similarly, if the profile is based onmany samples, then the comparison may only allow for a smaller or nodeviation from the profile to be considered a match.

Then, evaluated samples maybe evaluated to determine, for example, whatpercentage of the total number of samples represent communications bythe authorized user (in the case of evaluating the user) or, forexample, what percentage of the total number of samples from a frequentcorrespondent's address represent communications by the frequentcorrespondent (in the case of evaluating the party with whom the user iscommunicating). In the case in which a user of the end-user device isbeing evaluated, if a predetermined percentage of the samples were notauthored by the authorized user, then it may be determined that someoneother than the authorized user is using the end-user device and/oruser's text message account. In the case in which the party with whomthe user is communicating is being evaluated, if a predeterminedpercentage of the samples were not authored by the frequentcorrespondent, then it may be determined that someone other than thefrequent correspondent is using the frequent correspondent's deviceand/or text message account. In step 470, operation of the method ends.

It should be appreciated that according to the above example, once thestored samples are evaluated, they may be discarded in order for anothergroup of samples to be collected. Alternatively, upon evaluation, onlythe oldest sample may be discarded. Then once the next sample isobtained and evaluated the stored samples may be evaluated, in effectcreating an oldest out, newest in, rolling group of samples.Alternatively, samples may not be stored. Rather the samples may beevaluated immediately, and only the results of the evaluation may bestored.

It should also be appreciated that according to the above example, theorder of the steps is not strict, and for example, the samples may eachbe evaluated prior to being stored.

As a result of the above exemplary systems, methods, and programs it ispossible to determine the likelihood that a text message enabledend-user device and/or user account is not being used by the primaryauthorized user. Thus, when it is determined that the end-user deviceand/or account is not being used by the primary authorized user, theprimary authorized user and/or the police may be notified and/orprovided with the location of the device if it is equipped with a GPSreceiver.

Alternatively or additionally, as a result of the above exemplarysystems, methods, and programs it is possible to determine thelikelihood that messages sent to a text message enabled end-user deviceand/or user account from a frequent correspondent's address are notbeing sent by the frequent correspondent. Thus, the user of the device,i.e., the message recipient, may be notified that the sender of themessage may be an impostor.

However, with respect to developing an authorized user profile, it ispossible that an end-user device 104 and/or text message account mayhave more than one authorized user. For example, it is possible that aspouse, sibling, friend, co-worker, etc. may use the device/account andthe primary user may not want to be notified of their use. Accordingly,exemplary systems, methods, and programs may allow a second orsubsequent user to be considered an authorized user of thedevice/account.

For example, an additional user authorization mode may be provided inwhich the second or subsequent user may actively provide text samplesthat will be used to create a second authorized user profile.Alternatively, upon notification that there will be a second user, thesystems, methods, and programs may attempt to evaluate each sample thatis obtained and, based on the samples' language patterns, group thesamples by user. Then, based on the grouped samples, individual userprofiles may be provided for each user. Thus, any number of users may beregistered as authorized users.

It should be appreciated that the above exemplary methods and programsmay be configured to evaluate only messages sent from an associatedend-user device 104 or account, to evaluate only messages received by anassociated end-user device 104 or account, or to evaluate both messagessent from and received by an associated end-user device 104 or account.

It should also be appreciated that the authentic user profile and/orauthentic sender profiles need not be stored within the end-user device.Rather the profiles may be stored, for example, on a server operated bya message service provider and connected to the network 102. In thisrespect, an authentic user profile for the end-user device 104 oraccount may be used as an authentic sender profile for another devicewith which the end-user device 104 or account communicates, and/or theauthentic user profile for another device or account with which theend-user device 104 or account communicates may be used as an authenticsender profile for the end-user device 104 or account.

Furthermore, even if the authentic user profiles are stored within theend-user devices, a stored authentic user profile associated with asender device may be for example, sent in the background along with amessage from that device, or accessed by a recipient device, and thenstored and/or used as an authentic sender profile by the recipientdevice.

While various features have been described in conjunction with theexamples outlined above, various alternatives, modifications,variations, and/or improvements of those features and/or examples may bepossible. Accordingly, the examples, as set forth above, are intended tobe illustrative. Various changes may be made without departing from thebroad spirit and scope of the underlying principles.

What is claimed is:
 1. A method for detecting unauthorized user accountcommunications, comprising: sampling messages associated with anauthorized user of an account to provide a plurality of message samples;creating an authorized profile based on language patterns extracted fromthe plurality of message samples; comparing by a processor a languagepattern extracted from a recent message with the authorized profile todetermine a deviation between the language pattern extracted from therecent message and the authorized profile; determining that the recentmessage is an unauthorized user account communication when the deviationdoes not satisfy an allowable amount of deviation, the allowable amountof deviation being based on an amount of samples in the plurality ofmessage samples; and generating an alert indicating that the recentmessage is an unauthorized user account communication.
 2. The method asrecited in claim 1, further comprising: transmitting the alert to arecipient of the recent message.
 3. The method as recited in claim 1,wherein generating the alert comprises: generating the alert comprisinga location of a device from which the recent message was received. 4.The method as recited in claim 1, wherein sampling the messagescomprises: sampling the messages associated with the authorized useruntil a standard deviation among the language patterns extracted fromthe plurality of message samples is within a predetermined range.
 5. Themethod as recited in claim 1, wherein sampling the messages comprises:sampling the messages associated with the authorized user until apredetermined number of samples is reached.
 6. The method as recited inclaim 1, wherein sampling the messages comprises: sampling the messagesassociated with the authorized user until a number of new words orphrases detected per transmission falls below a threshold.
 7. The methodas recited in claim 1, wherein sampling the messages comprises: samplingonly portions of the messages authored by the authorized user.
 8. Themethod as recited in claim 1, wherein sampling the messages comprisessampling beginning portions of the messages associated with theauthorized user.
 9. The method as recited in claim 1, furthercomprising: determining a number of the messages that are authored bythe authorized user; and determining that the authorized user is aprimary user of the account based on the number of the messages that areauthored by the authorized user.
 10. A computer readable medium storingcomputer program instructions for detecting unauthorized user accountcommunications, which, when executed on a processor, cause the processorto perform operations comprising: sampling messages associated with anauthorized user of an account to provide a plurality of message samples;creating an authorized profile based on language patterns extracted fromthe plurality of message samples; comparing a language pattern extractedfrom a recent message with the authorized profile to determine adeviation between the language pattern extracted from the recent messageand the authorized profile; determining that the recent message is anunauthorized user account communication when the deviation does notsatisfy an allowable amount of deviation, the allowable amount ofdeviation being based on an amount of samples in the plurality ofmessage samples; and generating an alert indicating that the recentmessage is an unauthorized user account communication.
 11. The computerreadable medium as recited in claim 10, the operations furthercomprising: transmitting the alert to a recipient of the recent message.12. The computer readable medium as recited in claim 10, whereingenerating the alert comprises: generating the alert comprising alocation of a device from which the recent message was received.
 13. Thecomputer readable medium as recited in claim 10, wherein sampling themessages comprises: sampling the messages associated with the authorizeduser until a standard deviation among the language patterns extractedfrom the plurality of message samples is within a predetermined range.14. The computer readable medium as recited in claim 10, whereinsampling the messages comprises: sampling the messages associated withthe authorized user until a predetermined number of samples is reached.15. An apparatus, comprising: a processor; and a memory to storecomputer program instructions, the computer program instructions whenexecuted on the processor cause the processor to perform operationscomprising: sampling messages associated with an authorized user of anaccount to provide a plurality of message samples; creating anauthorized profile based on language patterns extracted from theplurality of message samples; comparing a language pattern extractedfrom a recent message with the authorized profile to determine adeviation between the language pattern extracted from the recent messageand the authorized profile; determining that the recent message is anunauthorized user account communication when the deviation does notsatisfy an allowable amount of deviation, the allowable amount ofdeviation being based on an amount of samples in the plurality ofmessage samples; and generating an alert indicating that the recentmessage is an unauthorized user account communication.
 16. The apparatusas recited in claim 15, the operations further comprising: transmittingthe alert to a recipient of the recent message.
 17. The apparatus asrecited in claim 15, wherein generating the alert comprises: generatingthe alert comprising a location of a device from which the recentmessage was received.
 18. The apparatus as recited in claim 15, whereinsampling the messages comprises: sampling the messages associated withthe authorized user until a number of new words or phrases detected pertransmission falls below a threshold.
 19. The apparatus as recited inclaim 15, wherein sampling the messages comprises: sampling onlyportions of the messages authored by the authorized user.
 20. Theapparatus as recited in claim 15, wherein sampling the messagescomprises sampling beginning portions of the messages associated withthe authorized user.